439
Linux係統小技巧(6):刀鋒組合-strace和wireshark工具
首先聲明下,此處wireshark,可以替換為tcpdump。同樣,strace偶爾也可以替換為ltrace,隻要熟悉庫函數就好。
wireshark和strace,對於黑客而言,都是工具箱中的必備工具。有過排查和診斷經曆的工程師,誰沒有抓包和分析包的經曆呢?
相對而言,strace的名氣要小一些,畢竟有意願、有能力追蹤並且能夠分析進程執行路徑的不多。而且常見的係統調用也有二三十個。
係統調用如此強力,why?
讓我們先明確下為什麼strace工具頗具威力,看圖
雖然Linux已經足夠複雜,而且,文件子係統和進程控製子係統間還有複雜交互。因此,上麵這張圖隻能說大致寫意而已。但是,這張圖還是能把係統調用的位置和功能表達出來
The system call is the fundamental interface between an application and the Linux kernel.
係統調用是應用和內核之間的根本接口。
從其所處的位置看,對於用戶空間的應用而言,無論用戶空間的應用是事件觸發者還是某些內核事件的被動響應者,用戶空間和內核對因某個事件而進行的交互,都會經過係統調用這一層。因此,追蹤和分析這一層的數據,對於診斷用戶空間進程和係統交互而引致的問題,是足夠的。對於診斷用戶空間應用自身的問題,除非非常特殊的情況(hello world之類的簡單程序?很難想象一個有用的應用能夠不調用任何係統調用),否則,退一步說,至少也足以提供下一步的排查線索。
為什麼要組合使用strace和wireshark?
現在是網絡時代。但是strace能夠cover的範圍卻局限在一台單機之內。我們需要工具來擴展strace覆蓋的範圍。免費、自由的wireshark無疑是strace的最佳隊友。如果追蹤進程執行路徑同時,同時抓包,那麼,我們就把strace從隻能覆蓋一台單機中釋放了出來。
當然,讓strace和wireshark聯合作戰,並非沒有代價。首先,你得了解(最好是熟悉)常見係統調用。再者,要能在strace和wireshark的輸出上建立足夠聯係。毫無疑問,時間是最好的媒介之一。要strace也給出時間戳,我們可以這樣來執行strace
strace -f -ff -s 256 -tt -o strace.log your_program
實際案例
舉個例子。下圖就是通過時間戳,把包重傳和線程的行為聯係了起來。通過這一步,還可以把線程行為向業務邏輯映射,從業務層麵上解釋線程行為。
需要了解哪些係統調用?
但是,從捕捉到的係統調用分析進程執行路徑,不掌握一部分常見的係統調用,肯定是不行的。那麼,又那些係統調用我們需要掌握呢?
首先,得熟悉如何查看manpages。有需要可以迅速man下。
除此之外,還需要掌握30個左右的常見係統調用。我們以提問的方式,把這些係統調用列出來,供大家參考
方便練習和實驗的demo
現在的工具,甚至是echo,因為跨平台、維持曆史兼容性、各種選項支持等原因已經足夠複雜。這裏我們提供一個demo供大家實戰。
這是個demo shell,大家可以按照需要編譯之,而後使用strace追蹤之。
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
int parse_inputs(char *buf, char **argv);
int usage();
int main(int argc, char **argv)
{
int rv = 0;
int pid, status;
long input_max_len;
char *buf = NULL;
char **cmd = NULL;
if (argc > 1) {
usage();
goto out;
}
input_max_len = sysconf(_SC_LINE_MAX);
buf = malloc(input_max_len * sizeof(*buf));
cmd = malloc(input_max_len * sizeof(*cmd));
if (buf == NULL || cmd == NULL) {
rv = 1;
fprintf(stderr, "failed to alloc memory\n");
goto out;
}
get_cmd:
fprintf(stdout, "[demo-shell] ");
if (parse_inputs(buf, cmd)) {
goto out;
} else {
goto run_cmd;
}
run_cmd:
pid = fork();
if (pid < 0) {
perror("fork");
rv = 1;
goto out;
}
if (pid) {
if (wait(&status) == -1) {
perror("wait");
rv = 1;
goto out;
}
goto get_cmd;
} else {
if (execvp(cmd[0], cmd) < 0) {
rv = 1;
goto out;
}
}
out:
if (buf) {
free(buf);
}
if (cmd) {
free(cmd);
}
return rv;
}
/*
* suppose we typed the command 'ls -l',
*
* loc len
* | |
* v v
* .---.---.---.---.---.-----.---.---.---
* | l | s | | | | | | |
* .___.___.___.___.___._____.____.___.___
*
* then
*
* loc len
* | |
* v v
* .---.---.---.---.---.-----.---.---.---
* | l | s | | - | l | \r | | |
* .___.___.___.___.___.____.____.___.___
*/
int parse_inputs(char *buf, char **argv)
{
int c;
int rv = 0;
int len = 0;
int loc = 0;
int idx = 0;
while (1) {
c = getchar();
if (c == EOF) {
rv = -1;
goto out;
} else if (c == '\n') {
if (loc < len) {
buf[len] = '\0';
argv[idx] = &buf[loc];
loc = len + 1;
idx += 1;
}
argv[idx] = (char *) NULL;
goto out;
} else if (c == ' ') {
if (loc < len) {
buf[len] = '\0';
argv[idx] = &buf[loc];
loc = len + 1;
idx += 1;
} else {
continue;
}
} else {
buf[len] = c;
}
len += 1;
}
out:
return rv;
}
int usage()
{
int rv = 0;
fprintf(stdout, "./demo-shell\n");
return rv;
}
比如,為了盡可能的能和源碼對照,我們可以這麼實驗
cc -O0 -o demo-shell demo-shell.c
[ -d strace-log ] || mkdir strace-log
strace -o strace-log/log -f -ff -tt -s 64 ./demo-shell
實際運行的結果如下
[root@demo lab]# ls
demo-shell.c
[root@demo lab]# cc -O0 -o demo-shell demo-shell.c
[root@demo lab]# [ -d strace-log ] || mkdir strace-log
[root@demo lab]# ls
demo-shell demo-shell.c strace-log
[root@demo lab]# strace -o strace-log/log -f -ff -tt -s 64 ./demo-shell
[demo-shell] ls
demo-shell demo-shell.c strace-log
[demo-shell] pwd
/root/bf/work/lab
[demo-shell] ls strace-log
log.20541 log.20542 log.20545 log.20549
[demo-shell] [root@demo lab]#
實驗數據
我們也給出log.20541和log.20542的內容,供不能編譯實驗的同學使用
[root@demo lab]# cat strace-log/log.20541
09:35:17.039887 execve("./demo-shell", ["./demo-shell"], [/* 22 vars */]) = 0
09:35:17.040893 brk(0) = 0x1432000
09:35:17.041053 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60f5000
09:35:17.041249 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
09:35:17.041487 open("/etc/ld.so.cache", O_RDONLY) = 3
09:35:17.041681 fstat(3, {st_mode=S_IFREG|0644, st_size=41496, ...}) = 0
09:35:17.041878 mmap(NULL, 41496, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f17e60ea000
09:35:17.042049 close(3) = 0
09:35:17.042277 open("/lib64/libc.so.6", O_RDONLY) = 3
09:35:17.042459 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\356\1\2559\0\0\0@\0\0\0\0\0\0\0000a\35\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0N\0M\0"..., 832) = 832
09:35:17.042652 fstat(3, {st_mode=S_IFREG|0755, st_size=1930416, ...}) = 0
09:35:17.042831 mmap(0x39ad000000, 3750184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39ad000000
09:35:17.043044 mprotect(0x39ad18a000, 2097152, PROT_NONE) = 0
09:35:17.043209 mmap(0x39ad38a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x39ad38a000
09:35:17.043384 mmap(0x39ad390000, 14632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x39ad390000
09:35:17.043545 close(3) = 0
09:35:17.043710 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60e9000
09:35:17.043906 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60e8000
09:35:17.044075 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60e7000
09:35:17.044240 arch_prctl(ARCH_SET_FS, 0x7f17e60e8700) = 0
09:35:17.044518 mprotect(0x39ad38a000, 16384, PROT_READ) = 0
09:35:17.044693 mprotect(0x39ace20000, 4096, PROT_READ) = 0
09:35:17.044869 munmap(0x7f17e60ea000, 41496) = 0
09:35:17.045193 brk(0) = 0x1432000
09:35:17.045353 brk(0x1453000) = 0x1453000
09:35:17.045533 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
09:35:17.045698 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60f4000
09:35:17.045864 fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
09:35:17.046043 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17e60f3000
09:35:17.046220 write(1, "[demo-shell] ", 13) = 13
09:35:17.046387 read(0, "ls\n", 1024) = 3
09:35:18.923214 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f17e60e89d0) = 20542
09:35:18.924211 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 20542
09:35:18.953091 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20542, si_status=0, si_utime=0, si_stime=0} ---
09:35:18.953242 write(1, "[demo-shell] ", 13) = 13
09:35:18.953487 read(0, "pwd\n", 1024) = 4
09:35:21.202256 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f17e60e89d0) = 20545
09:35:21.203348 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 20545
09:35:21.213873 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20545, si_status=0, si_utime=0, si_stime=0} ---
09:35:21.213991 write(1, "[demo-shell] ", 13) = 13
09:35:21.214215 read(0, "ls strace-log\n", 1024) = 14
09:35:30.611217 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f17e60e89d0) = 20549
09:35:30.611983 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 20549
09:35:30.639174 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20549, si_status=0, si_utime=0, si_stime=0} ---
09:35:30.639284 write(1, "[demo-shell] ", 13) = 13
09:35:30.639495 read(0, "# ctrl + d\n", 1024) = 11
09:35:43.687289 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f17e60e89d0) = 20553
09:35:43.688445 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 20553
09:35:43.692210 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20553, si_status=1, si_utime=0, si_stime=0} ---
09:35:43.692356 write(1, "[demo-shell] ", 13) = 13
09:35:43.692547 read(0, "", 1024) = 0
09:35:47.231231 exit_group(0) = ?
09:35:47.231743 +++ exited with 0 +++
[root@demo lab]#
看看子進程(運行了ls命令)的strace日誌
[root@demo lab]# cat strace-log/log.20542
09:35:18.924010 execve("/usr/local/sbin/ls", ["ls"], [/* 22 vars */]) = -1 ENOENT (No such file or directory)
09:35:18.924441 execve("/usr/local/bin/ls", ["ls"], [/* 22 vars */]) = -1 ENOENT (No such file or directory)
09:35:18.924759 execve("/sbin/ls", ["ls"], [/* 22 vars */]) = -1 ENOENT (No such file or directory)
09:35:18.925089 execve("/bin/ls", ["ls"], [/* 22 vars */]) = 0
09:35:18.925901 brk(0) = 0x2594000
09:35:18.926162 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a9aa000
09:35:18.926375 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
09:35:18.926580 open("/etc/ld.so.cache", O_RDONLY) = 3
09:35:18.926757 fstat(3, {st_mode=S_IFREG|0644, st_size=41496, ...}) = 0
09:35:18.926919 mmap(NULL, 41496, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f874a99f000
09:35:18.927074 close(3) = 0
09:35:18.927330 open("/lib64/libselinux.so.1", O_RDONLY) = 3
09:35:18.927505 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PY\200\2569\0\0\0@\0\0\0\0\0\0\0 \337\1\0\0\0\0\0\0\0\0\0@\0008\0\10\0@\0\37\0\36\0"..., 832) = 832
09:35:18.927697 fstat(3, {st_mode=S_IFREG|0755, st_size=124640, ...}) = 0
09:35:18.927903 mmap(0x39ae800000, 2221912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39ae800000
09:35:18.928123 mprotect(0x39ae81d000, 2093056, PROT_NONE) = 0
09:35:18.928296 mmap(0x39aea1c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x39aea1c000
09:35:18.928492 mmap(0x39aea1e000, 1880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x39aea1e000
09:35:18.928673 close(3) = 0
09:35:18.928838 open("/lib64/librt.so.1", O_RDONLY) = 3
09:35:18.929059 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240!@\2569\0\0\0@\0\0\0\0\0\0\0P\260\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0)\0(\0"..., 832) = 832
09:35:18.929256 fstat(3, {st_mode=S_IFREG|0755, st_size=47760, ...}) = 0
09:35:18.929432 mmap(0x39ae400000, 2128816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39ae400000
09:35:18.929605 mprotect(0x39ae407000, 2093056, PROT_NONE) = 0
09:35:18.929771 mmap(0x39ae606000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x39ae606000
09:35:18.929984 close(3) = 0
09:35:18.930221 open("/lib64/libcap.so.2", O_RDONLY) = 3
09:35:18.930446 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\23@\2639\0\0\0@\0\0\0\0\0\0\0\310B\0\0\0\0\0\0\0\0\0\0@\0008\0\6\0@\0\36\0\35\0"..., 832) = 832
09:35:18.930631 fstat(3, {st_mode=S_IFREG|0755, st_size=19016, ...}) = 0
09:35:18.930808 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a99e000
09:35:18.930997 mmap(0x39b3400000, 2111776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39b3400000
09:35:18.931188 mprotect(0x39b3404000, 2093056, PROT_NONE) = 0
09:35:18.931387 mmap(0x39b3603000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x39b3603000
09:35:18.931586 close(3) = 0
09:35:18.931768 open("/lib64/libacl.so.1", O_RDONLY) = 3
09:35:18.931986 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\36\300\2679\0\0\0@\0\0\0\0\0\0\0X|\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\37\0\36\0"..., 832) = 832
09:35:18.932194 fstat(3, {st_mode=S_IFREG|0755, st_size=33816, ...}) = 0
09:35:18.932380 mmap(0x39b7c00000, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39b7c00000
09:35:18.932578 mprotect(0x39b7c07000, 2093056, PROT_NONE) = 0
09:35:18.932778 mmap(0x39b7e06000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x39b7e06000
09:35:18.933040 close(3) = 0
09:35:18.933337 open("/lib64/libc.so.6", O_RDONLY) = 3
09:35:18.933590 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\356\1\2559\0\0\0@\0\0\0\0\0\0\0000a\35\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0N\0M\0"..., 832) = 832
09:35:18.933849 fstat(3, {st_mode=S_IFREG|0755, st_size=1930416, ...}) = 0
09:35:18.934076 mmap(0x39ad000000, 3750184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39ad000000
09:35:18.934346 mprotect(0x39ad18a000, 2097152, PROT_NONE) = 0
09:35:18.934528 mmap(0x39ad38a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x39ad38a000
09:35:18.934739 mmap(0x39ad390000, 14632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x39ad390000
09:35:18.934928 close(3) = 0
09:35:18.935128 open("/lib64/libdl.so.2", O_RDONLY) = 3
09:35:18.935483 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\300\2559\0\0\0@\0\0\0\0\0\0\0\260P\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0&\0%\0"..., 832) = 832
09:35:18.935671 fstat(3, {st_mode=S_IFREG|0755, st_size=23088, ...}) = 0
09:35:18.935874 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a99d000
09:35:18.936063 mmap(0x39adc00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39adc00000
09:35:18.936284 mprotect(0x39adc02000, 2097152, PROT_NONE) = 0
09:35:18.936538 mmap(0x39ade02000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x39ade02000
09:35:18.936790 close(3) = 0
09:35:18.937030 open("/lib64/libpthread.so.0", O_RDONLY) = 3
09:35:18.937304 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000^\200\2559\0\0\0@\0\0\0\0\0\0\0 2\2\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0*\0)\0"..., 832) = 832
09:35:18.937529 fstat(3, {st_mode=S_IFREG|0755, st_size=146592, ...}) = 0
09:35:18.937761 mmap(0x39ad800000, 2212848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39ad800000
09:35:18.938002 mprotect(0x39ad817000, 2097152, PROT_NONE) = 0
09:35:18.938233 mmap(0x39ada17000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x39ada17000
09:35:18.938527 mmap(0x39ada19000, 13296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x39ada19000
09:35:18.938782 close(3) = 0
09:35:18.939037 open("/lib64/libattr.so.1", O_RDONLY) = 3
09:35:18.939305 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\23\200\2579\0\0\0@\0\0\0\0\0\0\0 K\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\36\0\35\0"..., 832) = 832
09:35:18.939537 fstat(3, {st_mode=S_IFREG|0755, st_size=21152, ...}) = 0
09:35:18.939760 mmap(0x39af800000, 2113888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39af800000
09:35:18.940002 mprotect(0x39af804000, 2093056, PROT_NONE) = 0
09:35:18.940225 mmap(0x39afa03000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x39afa03000
09:35:18.940467 close(3) = 0
09:35:18.940672 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a99c000
09:35:18.940931 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a99a000
09:35:18.941144 arch_prctl(ARCH_SET_FS, 0x7f874a99a7a0) = 0
09:35:18.941463 mprotect(0x39aea1c000, 4096, PROT_READ) = 0
09:35:18.941706 mprotect(0x39ae606000, 4096, PROT_READ) = 0
09:35:18.941971 mprotect(0x39b7e06000, 4096, PROT_READ) = 0
09:35:18.942204 mprotect(0x39ad38a000, 16384, PROT_READ) = 0
09:35:18.942417 mprotect(0x39ade02000, 4096, PROT_READ) = 0
09:35:18.942635 mprotect(0x39ace20000, 4096, PROT_READ) = 0
09:35:18.942850 mprotect(0x39ada17000, 4096, PROT_READ) = 0
09:35:18.943080 mprotect(0x39afa03000, 4096, PROT_READ) = 0
09:35:18.943336 munmap(0x7f874a99f000, 41496) = 0
09:35:18.943602 set_tid_address(0x7f874a99aa70) = 20542
09:35:18.943791 set_robust_list(0x7f874a99aa80, 24) = 0
09:35:18.944033 futex(0x7ffc4edd7a8c, FUTEX_WAKE_PRIVATE, 1) = 0
09:35:18.944228 futex(0x7ffc4edd7a8c, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f874a99a7a0) = -1 EAGAIN (Resource temporarily unavailable)
09:35:18.944457 rt_sigaction(SIGRTMIN, {0x39ad805cb0, [], SA_RESTORER|SA_SIGINFO, 0x39ad80f7e0}, NULL, 8) = 0
09:35:18.944706 rt_sigaction(SIGRT_1, {0x39ad805d40, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x39ad80f7e0}, NULL, 8) = 0
09:35:18.944939 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
09:35:18.945172 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM64_INFINITY}) = 0
09:35:18.945535 statfs("/selinux", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=10320720, f_bfree=3070821, f_bavail=2546559, f_files=2621440, f_ffree=2090835, f_fsid={387891684, 134857724}, f_namelen=255, f_frsize=4096}) = 0
09:35:18.945935 brk(0) = 0x2594000
09:35:18.946144 brk(0x25b5000) = 0x25b5000
09:35:18.946415 open("/proc/filesystems", O_RDONLY) = 3
09:35:18.946742 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
09:35:18.946974 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a9a9000
09:35:18.947208 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tbdev\nnodev\tproc\nnodev\tcgroup\nnode"..., 1024) = 310
09:35:18.947511 read(3, "", 1024) = 0
09:35:18.947726 close(3) = 0
09:35:18.947951 munmap(0x7f874a9a9000, 4096) = 0
09:35:18.948252 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
09:35:18.948514 fstat(3, {st_mode=S_IFREG|0644, st_size=99174448, ...}) = 0
09:35:18.948713 mmap(NULL, 99174448, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8744b05000
09:35:18.948965 close(3) = 0
09:35:18.949257 ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
09:35:18.949501 ioctl(1, TIOCGWINSZ, {ws_row=62, ws_col=204, ws_xpixel=1430, ws_ypixel=869}) = 0
09:35:18.949764 open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
09:35:18.950007 fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
09:35:18.950241 getdents(3, /* 5 entries */, 32768) = 144
09:35:18.950497 getdents(3, /* 0 entries */, 32768) = 0
09:35:18.950696 close(3) = 0
09:35:18.950969 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
09:35:18.951187 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f874a9a9000
09:35:18.951404 write(1, "demo-shell demo-shell.c strace-log\n", 37) = 37
09:35:18.951643 close(1) = 0
09:35:18.951848 munmap(0x7f874a9a9000, 4096) = 0
09:35:18.952108 close(2) = 0
09:35:18.952365 exit_group(0) = ?
09:35:18.952833 +++ exited with 0 +++
[root@demo lab]#
訓練並且享受你的刀鋒戰隊吧。
參考
最後更新:2017-08-13 22:38:16